Alan Baxter wrote:Even with its default settings, NoScript is a trade-off between usability and security. I recommend the default settings, especially if you're new to NoScript. You may get many differing opinions, but here are some of my settings
Yes you are right. Even ABP is a tradeoff although in a much less extent because it occasionally has a few false positives and break some sites.
But the level of inconvenience is perfectly acceptable to me since NoScript can protect us from zero-exploits via third-party plugins and XSS attacks. It's only one click away to fix it if the page seems to be broken. Use temporarily allow it (or temporary allow all this page if you don't bother to check one by one). I will permanently allow it if I browse that site often and the functionality is useful to me.
Just permanently allow it if you think this two-step route is too much of a trouble. You will be slightly less safe but you are still much safer than default Firefox users which allow every potentially vulnerable scripts and plugins running on all sites. And you are still safe most of the time even the whitelisted site is compromised. It's because it can still block third-party exploits even you are on the whitelisted site. You are only vulnerable if the whitelisted is locally compromised and malware being planted into their servers.
It's not really annoying at all once you get used to that browsing mode. I used to browse IE similarly in that way (normal restricted zone / trusted zone) long time ago. It's not a problem at all.
Limited user account, on other other hand, breaks far too many things and it's not a few clicks to fix it if problems occur. Well, really far from easy fixes. You have to search all over the web to restore the broken functionality that you want to use in LUA. Software are somehow "broken" in LUA. It's far too annoying to use.
Seeing the cases above you probably see where my level of tolerance lies. I don't mind going through a few extra steps to restore the functionality if the problem is (1) easily detectable (2) easily fix-able. (1) NoScript informs me every time when scripts/plugins are disabled so I usually know what's wrong when site seems broken. (2) A click or two can restore it back to normal. I don't need to scratch my heads or search desperately for solution.
Stricter settings are okay as long as it matches the critiera and it DOES provide some justifiable security benefits.
Paranoid User wrote:What noscript settings do you suggest in this case?
They are off by default. I wonder whether I should enable all. But will it be too restrictive?
Forbid IFRAME
Forbid FRAME
Opaque embedded objects on pages ... trusted (off)
These break too much stuff if checked. I do have
Apply these restrictions to trusted sites too checked, more as a general content blocker rather than for security. I have an old, slow computer.
OK. I don't know much about FRAME but FRAME sounds fine to me and isn't much of a security threat. I guess FRAME is a legacy technology and isn't recommended in web development. But it seems I hear IFRAME a few times already when it's the culprit to hack or infect our computer. I don't know if stopping javascript enough to stop such security threats too. Someone who know more about this subject please give your opinion.
I probably enable "Forbid IFRAME" hopefully it won't be too annoying.
Apply these restrictions to trusted sites too, so how do you uncheck them when you want to see them? I haven't tested much but if I have to uncheck objects one by one if I want to see them all, that might be too annoying.
Advanced -> Untrusted:
- Hide <NOSCIPT> elements
- Forbid web bugs
- Forbid META redirections inside <NOSCIPT> elements
If I recall correctly, Forbid web bugs just blocks web bugs inside <NOSCIPT> elements. It's not a general web bug blocker. (There are good ones available for that already.) I checked that. I can't imagine it causing any usability issues.
I leave Hide <NOSCIPT> elements unchecked, the default. This provides a page with the ability to serve me useful content even if javascript is disabled.
I leave Forbid META redirections inside <NOSCIPT> elements unchecked too. I don't recall ever having any problems with leaving this setting unchecked.
Actually what does it mean by "inside <NOSCIPT> elements"? Isn't it true that noscript simply applies itself to the whole source code. This seem to mean "forbid web bugs when noscript is enabled" to me.
Well, and I don't get what <NOSCIPT> elements are.
What general web bug blocker do you recommend? And are web bugs pose security risks in some ways. It's because all it seems to do is to track your presence. I'm fine to tell them what I do on their site as long as it doesn't go too far to identify "me" personally.
Advanced -> Trusted:
- Allow local links (safe to enable?)
In general, not safe, Allow local links only if and when you have a specific need to.
OK.
Advanced -> HTTPS:
Behaviour -> Forbid active web content unless it comes from a secure (HTTPS) connection -> Never (should I change to "when using a proxy" or "always"?)
Cookies -> Enable Automatic Secure Cookies Management (off)
Behavior is set to Never. Four of the sites I use need a little prodding to ensure I never use a non-secure connection. I added them.
Cookies. Enable Automatic Secure Cookies Management was enabled by default when it was first introduced, but it caused a lot of usability problems. That's why it's not enabled by default anymore. I've left it unchecked.
[/quote]
Actually what does "Automatic Secure Cookies Management" really help? I value more and can bear more annoyance when it comes to online banking and financial transactions. But I immediately log out once I finish. Is it enough to solve the problems stated by noscript? I think it's very secure. Do I still need more?
Selected about:config prefs changes:
Code: Select all
noscript.tempGlobal true for additional security
noscript.autoReload.allTabs false for convenience
Hope this helps.
[/quote]
What does noscript.tempGlobal do?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
